Scanning For Windows Viruses Using Unix?

Webmoth asks: "As a networking consultant providing services to small businesses, I find myself installing an increasing number of Linux/Samba servers. Many of these clients are now getting always-on Internet connections with static IP addresses so that they can have an in-house mail server on that Linux box. I am concerned about the increased possibility of viruses infecting their network because of this. I'm not worried about the Linux box contracting a virus (that typically requires user intervention), but would like some solution, a software package running on Linux, that monitors for Windows viruses as files are accessed on the Samba server. It would be nice if there was a module that interacted with Sendmail to block e-mail viruses, too." Remember, many solutions that work for Linux will work for other Unixen as well. Unix machines typically act as mail servers for most enterprises so it would help prevent e-mail virus outbreaks if scanning can be done at the server level as well as the client level.

"Ideally, this Linux antivirus product would act as a server to provide virus definitions and scan control to Windows clients (much like Symantec's Norton Antivirus Enterprise Solution, formerly Intel's LanDesk, which is a great product but Windows-exclusive), as you can't trust users to maintain their virus software. Symantec had a press release back in April which seemed to indicate Linux support, but a knowledge base article posted the following day reveals that support is provided by scanning a shared Linux filesystem that can be mounted by a Windows box running Norton Antivirus. I'd like to see real Linux support. Anybody know of a practical solution?"

Qmail + Qmail scanner

[zal]

I have made very good experiences running qmail togehter with qmail scanner.

While qmail itself offers of course many advantages compared to sendmail (security, speed modularity) the one that mopst impresses me in my day to day work is the modularity.

Qmails modularity allows in case of qmail scanner, to intercept the mail before it enters the system queue, and run one or several of the antivirus scanners available for linux on it.

Qmail scnner in conjunction with the tnef package is even able to scan inside those stupid tnef attachments ms products like to use.

I usual run it with AVP as a viruscanner (price/performance) but as i already said it runs with any of the Virus Scanners available for linux.

Altough i havent really yet played with it a lot AVP also comes with a daemon wich will accpet files thru sockets, this should make it realitvel easy to write some little app to provide remote scanning capabilities

I don't like AMaViS

[Juggler]

The AMaViS code is pretty messy - it is essentially a shell script, and as such relies on invoking a great deal of external tools such as find, file, grep, etc. And of course it needs lots of disk space for temporary files. For these reasons I've been very leery of using it anywhere even a moderate mail load was to be expected. Also, this may be a cheap shot since they've fixed the worst problems since I noticed them (quite a while ago), but there were some pretty bad security issues within AMaViS itself last time I looked.

Inflex is much cleaner, but still has the same basic (IMO broken) design, and both lack alot of features I want. For these reasons I started work on my own solution, the Anomy sanitizer. Follow the link in my signature to check it out, it's pretty reliable these days.

--

AMaViS

[cowbutt]

Look into AMaViS [amavis.org] for scanning mail as it enters sendmail. AMaViS integrates with a number of third-part virus scanners.

Re:Communigate Pro from Stalker Software

[Webmoth]

Thanks for this info. Some of my clients are, in fact, using CommuniGate Pro. I wasn't aware that there was an antivirus plugin for it.

AV Email Gateway

[conraduno]

I dont know much about a Linux box as an AV server, but there are two Linux email gateway AV solutions. Trend Micro, the markey leader, has Interscan VirusWall, which more or less turns your box into an email relay filtering out virii. myCIO (of Rumor fame) is also soon releasing a very similar product as Trend's, so right now I guess there is only one solution but I believe myCIO is due to release their product December.

Communigate Pro from Stalker Software

[FoxIVX]

I use Communigate Pro, which yes, isnt free, nor open source. However, it's the best product I've found for an email server. And they offer, in conjunction with MacAfee, a plugin that will scan emails for all those nasty love-you/mellissa virii. Give it a look at www.stalker.com If you're doing a big project and they want a reliable, VERY powerful sever, you can get a license for 250 addys for only $1,000. A little steep for some, but for others, it's a good product for a good price.

Re:Communigate Pro from Stalker Software

[FoxIVX]

Here's the info I got from the Stalker mailing list, in case they dont have a link up yet.

Plugin Release:

The McAfee VirusScanner plugins for CommuniGate Pro are released.

The plugins require the CommuniGate Pro version 3.4b2 or better.

FreeBSD - Intel
<http://www.stalker.com/pub/plugins/CGPMcAfee-Fr eeBSD-Intel.tar.gz>
<ftp://ftp.stalker.com/pub/plugins/CGPMcAfee-Fre eBSD-Intel.tar.gz>

Linux - Intel
<http://www.stalker.com/pub/plugins/CGPMcAfee-Li nux-Intel.tar.gz>
<ftp://ftp.stalker.com/pub/plugins/CGPMcAfee-Lin ux-Intel.tar.gz>

Win32 - Intel
<http://www.stalker.com/pub/plugins/CGPMcAfee-Wi n32-Intel.zip>
<ftp://ftp.stalker.com/pub/plugins/CGPMcAfee-Win 32-Intel.zip>

Solaris - Sparc
<http://www.stalker.com/pub/plugins/CGPMcAfee-So laris-Sparc.tar.gz>
<ftp://ftp.stalker.com/pub/plugins/CGPMcAfee-Sol aris-Sparc.tar.gz>

AIX - PowerPC
<http://www.stalker.com/pub/plugins/CGPMcAfee-AI X-PPC.tar.gz>
<ftp://ftp.stalker.com/pub/plugins/CGPMcAfee-AIX -PPC.tar.gz>

Yahoo Mail does it with Norton Antivirus

[yomoma]

I know they use FreeBSD for their production servers. Unless they have some sort of Windows intermediary which does the scanning (which I kind of doubt) they're doing it on a Unix box.

AVP for Linux just out

[exekewtable]

I got avp for linux from www.avp.com.au and tried it.. it seems to work great. It has a daemon mode and the clients can update themselves from the server etc ala the Symantec enterprise edition - which i have tried on NT. AVP for linux also has a sendmail plugin that scans the mail.
hope that helps,
Dave

Re:Possible other option.

[UncleOzzy]

We've got this running on the network at my campus, and it works reasonably well (now that we've added normal.dot to the list of files to be restored on logout). Every time a user logs out of an NT machine, PC-Rdist does a quick scan and replaces anything that needs replacing. This tends to keep things reasonably clean; although at first, before we protected normal.dot, the lab PCs were just a haven for Word macro virii.

Also, I definitely agree about having homogenous hardware -- we don't, and it's a huge pain. We've got, I think, 4 different kinds of PC in the labs, each with its own image that it restores from, and it's just an enormous hassle.

In all, though, this is a reasonable (and pretty cheap) way to protect PCs from virii.

Kaspersky Anti-Virus

[fwc]

I personally have used Kaspersky Antivirus [avp.com]. (If the US site is down, you can also try the Russian Site [www.avp.ru]).

I discovered this from a page which covers exactly what you are looking for. The page is here. [decros.cz]

Re:AMaViS

[sapphire42]

We use it on our mail server, and my mailbox can attest to how well it works. (I got an alert for each one stopped) Our customers are grateful, and we have gotten customers from other local ISP's because of it. When they send a virus, through our mailfilter, we stop it and then they get a message with tips on getting clean. Some of the ISP's in the area have been very UNhelpful to their own customers,and when when they call us, they usually end up switching :-)

Policy based filtering of incoming email

[Juggler]

I'm the author of a free software program called "the Anomy sanitizer". Click on my signature to download it or read the readme.

Anomy allows you to define on a mail gateway (sendmail, qmail or something else - Anomy is mailer independant) what to do to different sorts of attachments. Options include "drop", "save", "scan" (with a third party virus scanner), "mangle" (rename to avoid windows extension risks) and "accept".

Anomy is more powerful than Amavis or Inflex, in that it allows you to selectively scan/drop/... only certain types of files for viruses (thus saving CPU cycles when people are just swapping .gifs). So you can taylor it pretty carefully to match the needs of your customer. And Anomy should also be faster, since it doesn't need as many forks or use up temporary disk space for each message. Anomy is also aware of non-MIME attachments, so all those uuencoded outlook-style attachments will get scanned. The same goes for nested MIME parts. Some of the other solutions get these things wrong, which means that things are likely to slip through.

Another feature Anomy has which the others lack, is a method for cleaning up risky HTML - disabling things like styles, javascript, ActiveX - all of which have had email security related problems.

I wrote Anomy because I wasn't happy with any of the other available free solutions, and I've reached all of my technical goals - so I think it's fair to say that mine is better. It's also been pretty stable for the last few months. Now I just need to write a decent manual... :-)

--

Re:NAI

[larien]

We use it under Solaris here, and it works OK but I've seen it get wedged in some circumstances. It does seem to be reproducable as it always gets wedged under one specific user's home drive, but I haven't had time to hammer it out properly to submit a bug report to McAfee.

BTW, I've found it works an absolute dream using qmail and qmailscan (both packages available from qmail's home page) and has stopped a lot of viruses being sent via email. Qmailscan also stops attachments with certain extensions; in my case, I set it up to block .VBS and was very glad when it stopped an ILOVEYOU variant :)
--

Sophos, Trend

[hatless]

For the server-side protection, I'd have a look at Sophos [sophos.com]'s product.

As for the automatically-distributed client, you should evaluate (for free) Trend Micro [trendmicro.com]'s OfficeScan Corporate Edition to see if it plays nice with Samba. It runs no code on the server. The software and updates get delivered via client pull, initiated by Windows login scripts, and the admin interface can be run from any Windows machine with proper share access to the distributing host.

Possible other option.

[Christopher Thomas]

While I suspect you're at the mercy of Norton et. al. for waiting for a true Linux virus scanner, there's another option that might help reduce virus damage - automatically maintaining Windows system files.

I've mainly seen this done via some netbooting variant of NT, but it could be done using Linux as well. Either on startup or at regular intervals, system and other non-data files on Windows machines are compared regularly to protected reference copies of the files. Files that don't match are overwritten. Files that are missing are replaced. Files that shouldn't be there are wiped.

The down side: Your Windows environment has to be homogeneous (including hardware). Otherwise, your administrative hassles skyrocket, because you have to maintain a separate reference copy for every variant of the installation.

The plus side: This is the only sure-fire way that I know of to protect a Windows system from corruption, be it induced by a virus or by time. From what I've seen, it works quite well.

The Problem: You're going to have a lot of fun gaining read/write access to all of the required drives remotely and securely. Read access might be manageable without opening too many holes.

Sophos..

[Qube]

Surprised no-one else has posted this yet - Sophos [sophos.com] offers AV software for Windows, Netware, OS/2, Unix (Solaris, Linux, SCO, Digital, AIX, FreeBSD, HP-UX) and OpenVMS servers, and Windows, OS/2, Mac and DOS clients.

Our company uses it on Netware servers/Windows clients, and it's been great - although I haven't used any of the other server versions I'd expect them to be at least as good. SAVAdmin and other management tools work well too (provided you've got an NT machine handy to run it) - updates, client upgrades and the like can all be automated.

UNIX and Linux

[DaveHowe]

There are four or five companies that offer Linux support, but few that offer $OTHERUNIX support; One worth looking at is sophos - they offer a range of alternate platforms [sophos.com] and were the only ones I could find that supported Digital Unix on Alphaservers.

I also asked this question a month or so back and got rejected - obviously luck of the draw for which reviewer you get :+)
--

Install the Outlook Security Patch

[BitMan]

Will solve 99.9% of your problems. Of course it messes up Outlook's automation features, but that was the problem in the first place. It got rid of all our issues.

BTW, Bynari [bynari.com] has an Exchange-server replacement for Linux that will give your Outlook clients most of those features back at the server level. As such, we're thinking about switching from HP OpenMail to Bynari's TradeServer.

-- Bryan "TheBS" Smith

NAI

[kevin42]

McAfee has a linux scanner that uses the same dat files as the windows version. I've been using it for a while and it does a good job. It's even caught a few viruses for me:

http://www.nai.com/asp_s et/ buy_try/try/products_evals.asp [nai.com]

If you are looking for an email scanner check this out, it is a great email scanner:

http://www.amavis.org/ [amavis.org]